Just as registered investment advisors name adopting cybersecurity policies as their top compliance chore, RIAs rate anti-money laundering policies as their second biggest concern.
The Investment Adviser Association and ACA Compliance Group’s just-released annual compliance survey found that 88% of the 730 advisors polled identify “cybersecurity/privacy/identity theft” as their hottest compliance concern this year.
For the third year in a row, 24% of compliance officers at RIAs cited anti-money laundering/anti-bribery and corruption as their second biggest priority – triple last year’s 8%.
Firms of all sizes responded to the annual compliance survey, with 34% managing less than $1 billion, 43% managing $1 billion to $10 billion, and 23% managing more than $10 billion. Two-thirds (66%) of responding firms reported having 50 or fewer employees. The online poll was conducted from April 27 through May 25.
Nearly nine in 10 respondents cited concerns about data and information security, with nearly three-quarters – 72% – reporting having a formal, written, standalone cybersecurity program, a jump of 43% from 2015. Another 21% reported having cybersecurity policies and procedures that are incorporated into broader programs, the report notes.
While 18% reported being a victim of a cybersecurity breach in the past 18 months, another 7% said they did not know whether their systems had been breached.
One-third (33%) have purchased specific cyber insurance, while another 15% are considering purchasing insurance.
Seventy-four percent of RIAs also reported devoting resources to cybersecurity/privacy/identity theft compliance testing.
Social media compliance is also a top priority for RIAs, with 90% having adopted formal written policies and procedures to govern the use of social media by employees. Nearly four in 10 – 37% – also noted that they prohibit the use of social networking sites for business purposes, down from 47% in 2015.
Sanjay Lamba, IAA assistant general counsel, noted that IAA’s “hope is that our findings will assist firms in benchmarking their compliance practices against other firms.”
As IAA notes, while the Treasury Department’s Financial Crimes Enforcement Network is poised to finalize new regulations that will make advisors registered with the Securities and Exchange Commission subject to the Bank Secrecy Act’s anti-money laundering regime, the vast majority of survey respondents – 88% – believe their firms’ AML risk is low.
Nevertheless, the survey notes, 76% have already adopted AML policies and procedures, and 40% believe their policies and procedures will satisfy the proposed AML requirement for advisors.
Under the FinCEN proposal, advisors must also report suspicious activity to FinCEN pursuant to the Bank Secrecy Act, and FinCEN has also included investment advisors in the general definition of “financial institution,” which, among other things, would require them to file Currency Transaction Reports (CTRs) and keep records relating to money transfers. The rule is still pending, FinCEN spokeswoman Candice Basso told ThinkAdvisor in April. “As usual, FinCEN is considering public comments as it crafts the final rule.”
Indeed, Peter Driscoll, head of the new risk and strategy office, housed within the SEC’s Office of Compliance Inspections and Examinations, noted in mid-April that his office is “really focused” on anti-money laundering violations and has been working with the enforcement division to share information in this area. The SEC, he said, has hired former FinCEN employees to help the agency enforce AML and suspicious activity report compliance.
Two-thirds of respondents (66%) to the IAA/ACA poll reported that they periodically review their AML policies, while 56% said staff responsible for AML matters at their firms have sufficient seniority and experience. Nearly half – 49% — said they trained all employees on their firms’ AML policies on at least an annual basis.
As to the cost of compliance, nearly half of respondents – 48% – said their firms spend between $100,000 and $500,000 annually on compliance related costs. Twenty percent put their compliance costs at under $100,000; 25% reported compliance costs of $100,000 to $250,000; 22% said their compliance costs are between $250,000 and $500,000; 14% reported compliance costs over $1 million but less than $5 million; and three percent put their compliance costs at $5 million or more.
Fully 59% of respondents reported hiring a third party to conduct compliance reviews of their firms, and 40% of those reviews were mock SEC-type examinations.
Most respondents (38%) paid third parties between $10,000 and $30,000 while 33% paid between $20,000 and $50,000.
— Check out 12 Steps for an Exam-Proof Cybersecurity Plan on ThinkAdvisor.